Forum Discussion
SNAT using Proxy SSL
Hi,
I am planning to create a virtual server, with ssl profiles (client and server) which will use the Proxy SSL feature. I wonder if the virtual server has to use a SNAT pool, automap (which I am planning to use) or none.
F5 11.6.1
Thanks!
Its completely depend on Organization Network Setup. SNAT Automap uses the egress vlan interface IP. If you don't have visibility on Next hope setup, I will suggest you to configure SNAT Automap in VIP.
For the Client->F5->Server, consider these scenarios:
Routed, client source address goes to the server. Routes necessary back through F5 BIGIP on servers or servers gw
Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes.
Snat Pool, client source is managed on F5 BIGIP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.
- Samir_Jha_52506Noctilucent
Its completely depend on Organization Network Setup. SNAT Automap uses the egress vlan interface IP. If you don't have visibility on Next hope setup, I will suggest you to configure SNAT Automap in VIP.
For the Client->F5->Server, consider these scenarios:
Routed, client source address goes to the server. Routes necessary back through F5 BIGIP on servers or servers gw
Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes.
Snat Pool, client source is managed on F5 BIGIP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.
- Samir_Jha_52506Noctilucent
Cool. Proxy(ClientSSL/ServerSSL) SSL doesn't require any additional setting. I would suggest you to check existing VIP configuration(if any) in Same F5 device and make new vip config based on that. I mean whether you need SNAT automap option or not. You can enable SNAT automap, not any issue.
- crengifo_232216Nimbostratus
Thanks f5_rock!
I was concerned about if the use of the Proxy SSL feature requires a special setting on the SNAT for the virtual server. So, based on your information, I can use the most affordable to the organization where I work.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com